After you download your Cortex XDR Broker VMDK image, you can convert the image to Amazon Web Services (AWS) AMI using the AWS CLI. The task below explains how to do this on Ubuntu Linux.
You need to set up an AWS VM Import role (vmimport) before you continue with the steps to convert the image as it is required for the import-image CLI command. You can use a different role, if the role vmimport doesn't exist or doesn't have the required permissions. For more information on setting up an AWS VM Import role and the permissions required, see Required service role.
To convert the image:
Create an IAM User with Proper Permissions
You need to log in using an AWS Identity and Access Management (IAM) user, where the permissions are defined in the IAM policy to use the virtual machine Import and export.
Log in to the AWS IAM Console, and in the navigation pane, select → → .
Select Access key - Programmatic access as the AWS credential type, and click Next: Permissions.
Select → ,
In the JSON tab, copy and paste the following syntax to define the policy:
{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "s3:GetBucketLocation" "s3:GetObject", "s3:PutObject" ], "Resource": ["arn:aws:s3:::mys3bucket","arn:aws:s3:::mys3bucket/*"] }, { "Effect":"Allow", "Action": [ "ec2:CancelConversionTask", "ec2:CancelExportTask", "ec2:CreateImage", "ec2:CreateInstanceExportTask", "ec2:CreateTags", "ec2:DescribeConversionTasks", "ec2:DescribeExportTasks", "ec2:DescribeExportImageTasks", "ec2:DescribeImages", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:ExportImage", "ec2:ImportInstance", "ec2:ImportVolume", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:ImportImage", "ec2:ImportSnapshot", "ec2:DescribeImportImageTasks", "ec2:DescribeImportSnapshotTasks", "ec2:CancelImportTask" ], "Resource":"*" } ] }Click Next until you can specify the Policy name, and then click Create Policy.
Select the policy that you created above based on the syntax you added.
Complete the user creation process.
After confirmation that the user is created, record the following user information, which you will need later.
User name
Access key ID
Secret access key
Setup AWS CLI in Ubuntu 18
Install the AWS CLI and configure it with the IAM user that you created.
Login to the server with admin privilege and install the AWS CLI.
# sudo bash # apt install awscli
Run the following command to configure the AWS CLI:
# aws configure
You need to specify the proper configurations for the following:
AWS Access Key ID—The Access key ID for the IAM user you created.
AWS Secret Access Key—The Secret access key for the IAM user you created.
Default region name—The Region where you've defined the IAM user you created.
You are now ready to implement commands in the AWS CLI.
Create an AMI Image
To create an AMI image, you need to download Broker VM VMDK file from the Cortex XDR Web Console, import this file to your S3 bucket, and then convert the VMDK file in the S3 bucket into an AMI Image.
In the Cortex XDR Web Console , select → → → → → .
Download the VMDK file, such as
broker-vm-<broker-vm-version>.vmdk, to you ubuntu computer.Navigate and log in to your AWS account.
In the AWS Console, navigate to → → → .
In the S3 buckets page, + Create bucket to upload your Broker VM image to this bucket.
Specify a unique name for the S3 bucket and use the default configurations.
Upload the Broker VM VMDK you downloaded from Cortex XDR to the AWS S3 bucket.
Run
# aws s3 cp ~/<path/to/broker-vm-version.vmdk> s3://<your_bucket/broker-vm-version.vmdk>Prepare the following configurations files on your hard drive.
configuration.json
Run the following command in Ubuntu:
# vi configuration.json
Copy and paste the following syntax into the json file.
In S3Bucket, replace <your_bucket> with the Bucket Name and not its ARN Name. S3Key is the VMDK filename, which you should replace instead of <broker-vm-version.vmdk>.
[ { "Description":"Cortex XDR Broker VM <version>", "Format":"vmdk", "UserBucket":{ "S3Bucket":"<your_bucket>", "S3Key":"<broker-vm-version.vmdk>" } } ]
trust-policy.json
Run the following command in ubuntu:
# vi trust-policy.json
Copy and paste the following syntax into the json file.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vmie.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals":{ "sts:Externalid": "vmimport" } } } ] }
role-policy.json
Run the following command in Ubuntu:
# vi role-policy.json
Copy and paste the following syntax into the json file. Replace the <disk-image-file-bucket> and <export-bucket> with the correct bucket name. You can specify * to configure access to all your S3 buckets.
{ "Version":"2012-10-17", "Statement":[ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::<disk-image-file-bucket>", "arn:aws:s3:::<disk-image-file-bucket>/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:GetBucketAcl" ], "Resource": [ "arn:aws:s3:::<export-bucket>", "arn:aws:s3:::<export-bucket>/*" ] }, { "Effect": "Allow", "Action": [ "ec2:ModifySnapshotAttribute", "ec2:CopySnapshot", "ec2:RegisterImage", "ec2:Describe*" ], "Resource": "*" } ] }
Use the
create-rolecommand to create a role namedvmimportand grant VM import and export access to thetrust-policy.jsonfile.# aws iam create-role --role-name vmimport --assume-role-policy-document "file://trust-policy.json"Use the
put-role-policycommand to attach the policy to thevmimportrole created above.# aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file:// role-policy.json"Create an AMI image from the VMDK file.
Run
# aws ec2 import-image --description "Cortex XDR Broker VM <Version>" --disk-containers "file://configuration.json"Note
Creating an AMI image can take up to 60 minutes to complete.
To track the progress, use the
task idvalue from the output and run:# aws ec2 describe-import-image-tasks --import-task-ids import-ami-<task-id>Completed status output example:
{ "ImportImageTasks":[ { "...", "SnapshotDetails":[ { "Description":"Broker VM version", "DeviceName":"/dev/<name>", "DiskImageSize":2976817664.0, "Format":"VMDK", "SnapshotId":"snap-1234567890", "Status":"completed", "UserBucket":{ "S3Bucket":"broker-vm", "S3Key":"broker-vm-<version>.vmdk" } } ], "Status":"completed", "..." } ]}Once the task is complete, the AMI Image is ready for use.
(Optional) After the AMI image has been created, you can define a new name for the image.
Select → → → and locate your AMI image using the task ID. Select the pencil icon to specify a new name.
Launch a Broker VM Instance in AWS EC2
You can launch the a Broker VM instance in AWS EC2 using the AMI Image created.
To view the AMI image that you added, select → → → .
Select → , search for your AMI image, and Launch the file.
In the Launch Instance Wizard define the instance according to your company requirements and Launch.
(Optional) In the Instances page, locate your instance and use the pencil icon to rename the instance Name.
Define HTTPS and SSH access to your instance.
Right-click your instance, and select → .
In the Change Security Groups pop-up, select HTTPS to be able to access the Broker VM Web UI, and SSH to allow for remote access when troubleshooting. Make sure to allow these connections to the Broker VM from secure networks only.
Note
Assigning security groups can take up to 15 minutes.
Verify the Broker VM has started correctly.
Locate your instance, right-click, and select → .
You are directed to your Broker VM console listing your Broker details.
Register the Broker VM
Registration of the Broker VM to Cortex XDR is performed from the Broker VM Web Console.
Obtain a registration token from the Cortex XDR Web Console by selecting → → → → → .
Determine the IP Address of the EC2 instance and use it to open the Broker VM Web Console, such as
https://<ip_address>.Complete the registration process by entering the token information.